MySQL SSL Gives Warnings about big name Certificate Authorities

I have been able to setup my MySQL to use LetsEncrypt certificates with the steps below, unfortunately it is issuing warnings about official certs being self-signed (like from DigiCert, Comodo, etc…), so I wonder if there’s something missing from the configuration. anyways, here’s my ssl configuration:

[mysqld] require_secure_transport = on mysqlx = 0 ssl_capath  = /etc/ssl/certs ssl_ca      = /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem ssl_cert    = /etc/mysql/cert.pem ssl_key     = /etc/mysql/privkey.pem ssl_cipher  = DHE-RSA-AES256-GCM-SHA384 tls_version = TLSv1.2 

the problem

Everything in the ssl_capath comes up as a warning in the startup log (im doing tail -f /var/log/mysql/error.log):

YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/SwissSign_Gold_CA_-_G2.pem is self signed. YYYY-MM-DDTHH:mm:ss.SSSSSZ 0 [Warning] [MY-010068] [Server] CA certificate /etc/ssl/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem is self signed. ... 

background

the ssl_ca file is from doing wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem -O /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem

the ssl_cert is from getting my LE live subfolder cert.pem file, same with the ssl_key (from LE’s privkey.pem). I’ve also restricted cipher and TLS version, but that’s probably not it.

To verify that everything is indeed working correctly, I have added the following to my client configuration (locally, not on that server):

[mysql] ssl_capath = /etc/ssl/certs 

and this session output:

user@localhost:~$   mysql --ssl-mode=VERIFY_IDENTITY -h mydomain.mytld -u remote -p -e "show variables like '%ssl%'; show session status like '%cipher%';" +-------------------------------------+-------------------------------------------------+ | Variable_name                       | Value                                           | +-------------------------------------+-------------------------------------------------+ | admin_ssl_ca                        |                                                 | | admin_ssl_capath                    |                                                 | | admin_ssl_cert                      |                                                 | | admin_ssl_cipher                    |                                                 | | admin_ssl_crl                       |                                                 | | admin_ssl_crlpath                   |                                                 | | admin_ssl_key                       |                                                 | | have_openssl                        | YES                                             | | have_ssl                            | YES                                             | | performance_schema_show_processlist | OFF                                             | | ssl_ca                              | /etc/ssl/certs/lets-encrypt-x3-cross-signed.pem | | ssl_capath                          | /etc/ssl/certs                                  | | ssl_cert                            | /etc/mysql/cert.pem                             | | ssl_cipher                          | DHE-RSA-AES256-GCM-SHA384                       | | ssl_crl                             |                                                 | | ssl_crlpath                         |                                                 | | ssl_fips_mode                       | OFF                                             | | ssl_key                             | /etc/mysql/privkey.pem                          | +-------------------------------------+-------------------------------------------------+ +--------------------------+------------------------------------------------------------------------------------------------------+ | Variable_name            | Value                                                                                                | +--------------------------+------------------------------------------------------------------------------------------------------+ | Current_tls_cipher       | DHE-RSA-AES256-GCM-SHA384                                                                            | | Current_tls_ciphersuites |                                                                                                      | | Ssl_cipher               | DHE-RSA-AES256-GCM-SHA384                                                                            | | Ssl_cipher_list          | TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384 | +--------------------------+------------------------------------------------------------------------------------------------------+